HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm

A class-action data breach lawsuit – Cox v. Valley Hope Association – has been dismissed by the U.S. District Court for The Western District of Missouri Central Division for lack of standing.

In February 2016, Valley Hope Association, a healthcare organization providing drug, alcohol, and addiction treatment services, alerted patients to a breach of ePHI that occurred on December 30, 2015.

The PHI of more than 52,000 patients was exposed when an unencrypted laptop computer was stolen from the vehicle of an employee. The data stored on the device included the personal and treatment information of 52,076 patients. While the laptop computer required a password to access the data, the device was not encrypted.

After being notified of the breach, plaintiff Robert Cox filed the suit in Missouri state court on March 17, 2016. Cox and other members of the putative class sought damages for the exposure of personal information and increased risk of identity theft.

In the suit, Cox claimed Valley Hope Association breached its fiduciary duty, breached its contract, violated the state consumer protection statute, and was negligent. Cox said he suffered “loss of privacy, confidentiality, embarrassment, humiliation, loss of income, [and] loss of enjoyment of life.”

He claimed that as a result of the theft, he and other putative class members “are at a heightened risk for future identity theft” and that they paid for privacy protections that they did not receive. Valley Hope Association sought to have the case dismissed in its entirety as Cox failed to state any injuries upon which relief can be granted.

United States District Judge Nanette K. Laughrey granted Valley Hope’s motion to dismiss, deeming the case to be “too speculative.” There was not a serious risk of impending harm and the risk of identity theft relied upon “a highly attenuated chain of possibilities.” The thief would be required to gain access to the data stored on the laptop, which would require the cracking of the password, obtain the data for Cox, and then using those data for malicious purposes.

Cox claimed that he and other members of the class had overpaid for privacy protections, and while this potentially could lay the basis for standing, in this case it did not. District Judge Laughrey ruled that Cox failed to “allege or argue that Valley Hope expressly charged him more for its security services, offered its core addiction treatment services at a cheaper price to customers who waived security protections.” He also did not state in the case that he “would never have purchased any services from Hope Valley if he knew the true value of its security measures.”

The case has been remanded to the state court where it was filed for all further proceedings, as the case was deemed to lack Article III standing for federal court.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.